ACK: [SRU][Q/N/J][PATCH 0/3] CVE-2026-23112
Masahiro Yamada
masahiro.yamada at canonical.com
Thu Apr 9 04:52:20 UTC 2026
On 4/6/26 19:51, Cengiz Can wrote:
> https://ubuntu.com/security/CVE-2026-23112
>
> [ Impact ]
>
> nvmet_tcp_build_pdu_iovec() can walk past cmd->req.sg when a PDU length
> or offset exceeds sg_cnt, then use bogus sg->length/offset values leading
> to _copy_to_iter() GPF/KASAN. An attacker with access to the NVMe-TCP
> target interface could trigger a kernel crash.
>
>
> [ Fix ]
>
> Cherry-picked from mainline for questing and noble. Adjusted for jammy
> due to older iovec style.
>
>
> [ Test Plan ]
>
> All three kernels were compile-tested and boot-tested. PoC verification
> confirmed the vulnerability is no longer triggerable after the fix.
>
>
> [ Where Problems Could Occur ]
>
> If the bounds checks are incorrect, NVMe-TCP connections could be
> prematurely terminated or the target could become unresponsive. In the
> worst case, a malformed check could still allow out-of-bounds access.
>
>
>
Acked-by: Masahiro Yamada <masahiro.yamada at canonical.com>
More information about the kernel-team
mailing list